100%
GRIMOIRE
GrimoireDindon CorpusSynthesis VolumesThe Foundation of Iron
FRENAR
RATIO
THE FOUNDATION OF IRON · COURSE MATERIAL · WEEK 15
◆◆◆
SYSTEM
HARDENING
Week 15 of 26 · Block 5 — Bare Metal OS
10h theory · 25h practice
◆ WEEKLY LEARNING OBJECTIVES

1. Apply OS hardening principles on both Linux and Windows Server
2. Configure and manage SSH securely
3. Set up a local firewall on both systems
4. Manage security updates
5. Audit a basic system configuration

◆◆◆
⚠ WARNING — SHELF LIFE OF VERSIONS REFERENCED HERE

Hardening recommendations and firewall tools evolve with OS versions. The principles in this material remain valid; the instructor adapts the specific commands to the distribution and Windows version actually in use.

Amine RAITI · Infrastructure Architect & SRE
Public document · CC BY-NC-SA 4.0 · AI Powered by Amine
Opération Dindon
RATIO
COURSE OUTLINE · 10H
THEORY GUIDING THREAD
15.1 · OS hardening principles3h
— Principle of least privilege: a user, a service, a process should have only strictly necessary rights
— Reducing the attack surface: disable unnecessary services, close unused ports
— Role separation: a server should not combine incompatible critical roles
15.2 · Securing SSH (Linux)2h
— Disable password authentication, use SSH keys only
— Change the default port, restrict which users can connect via SSH
— Configure session timeout and maximum number of attempts
15.3 · Local firewall on Linux and Windows3h
— Linux: filtering-by-layer principle (recall of the OSI model, anticipating Week 17), configuring basic rules
— Windows: Windows Defender Firewall, network profiles (domain, private, public), creating inbound and outbound rules
— Common logic: define what is allowed, deny everything else (whitelist vs blacklist)
15.4 · Updates and basic audit2h
— Update strategy: automatic vs manual, importance of security updates
— Basic configuration audit: check active services, open ports, unused accounts
RATIO
EXERCISE 1 · SSH HARDENING AND LINUX FIREWALL · 12H

Equipment: the Linux server installed in Week 8, a client machine to test connections.

(3h) Generating an SSH key pair on the client machine, deploying the public key to the server, testing key-based login, disabling password authentication.
(2h) Hardening the SSH configuration: changing the port, restricting authorised users, configuring session timeout, verifying the changes.
(4h) Configuring the local firewall: setting a default deny policy, allowing only necessary ports (SSH on the new port, application ports in use), testing denials and allowances.
(3h) Configuration audit: list active services, list listening ports, list active user accounts, identify items to disable according to the minimum attack surface principle.
SOLUTION — EXERCISE 1

Critical point of caution: before disabling password authentication, always verify that key-based login works from a separate open session — if the key is misconfigured and the active session is closed, the server becomes locked out. This is the most common and most costly mistake at this stage.

Expected audit result: a clear list distinguishing necessary services (keep), useful but non-critical services (evaluate), and unnecessary services (disable) based on the server's expected role.

RATIO
EXERCISE 2 · WINDOWS SERVER HARDENING AND UPDATE MANAGEMENT · 13H

Equipment: the Windows Server installed in Week 11.

(3h) Initial audit: list all installed roles and features, identify those not needed for the test server's role, cleanly uninstall them.
(3h) Configuring the Windows Firewall: check the active profile, create a rule allowing a specific inbound port, create a rule blocking an unused port, test both rules.
(3h) Update management: check available updates, apply critical security updates, verify the result and restart if needed.
(2h) Post-hardening audit: compare the initial and final states (services, ports, updates), document the changes made and their justification.
(2h) Linux/Windows comparison: a summary table cross-referencing hardening actions performed on both systems — to anchor the conceptual consistency between the two environments.
SOLUTION — EXERCISE 2

Expected comparison table: SSH Linux ↔ RDP/WinRM Windows (secure remote access), iptables/nftables Linux ↔ Windows Defender Firewall (network filtering), apt/dnf Linux ↔ Windows Update (updates), journalctl Linux ↔ Event Viewer Windows (logs) — the logic is identical in both cases.

◆ SUMMARY SHEET — WEEK 15 SELF-ASSESSMENT
1. I can explain the principle of least privilege.
2. I can configure SSH with key authentication and disable passwords.
3. I can configure a local Linux firewall with a default deny policy.
4. I can create inbound and outbound Windows Firewall rules.
5. I can audit active services and listening ports on a server.
6. I can apply security updates on both Linux and Windows.
7. I can document the changes made during a hardening exercise.
8. I can draw the parallel between Linux and Windows hardening actions.